Binary patches for the "Heartbleed" OpenSSL vulnerability. 9 April 2014
==========================================================
Background
----------
On 7 April 2014, a serious vulnerability in OpenSSL was announced. It's
being called the "Heartbleed" bug, and has identifier CVE-2014-1060.
See &lt;http://heartbleed.com&gt;. OpenSSL versions from 1.0.1 to 1.0.1f are
vulberable, and version 1.0.1g is fixed.
Affected versions of NetBSD
---------------------------
NetBSD-5.0 and older: Not affected, because these versions of NetBSD
contain older versions of OpenSSL.
NetBSD-6.0 branch: Versions from 6.0 to 6.0.4 are affected. The files
in this directory apply to these versions. NetBSD 6.0.5 will
contain OpenSSL version 1.0.1g, which is fixed.
NetBSD-6.1 branch: Versions from 6.1 to 6.1.3 are affected. The files
in this directory apply to these versions. NetBSD 6.1.4 will
contain OpenSSL version 1.0.1g, which is fixed.
NetBSD-current: NetBSD-current versions from June 2011 until 8 April
2014 contain vulnerable versions of OpenSSL 1.0.1. Users of
NetBSD-current should update their systems from source.
Pkgsrc: Pkgsrc versions of OpenSSL from openssl-1.0.1 to openssl-1.0.1fnb1
are vulnerable. Pkgsrc openssl-1.0.1g is fixed.
Regardless of what version of NetBSD you use, if you are using a
version of OpenSSL from pkgsrc, then you should update to pkgsrc
openssl-1.0.1g or later.
These files
-----------
The files in this directory apply to NetBSD versions from 6.0 to 6.0.4,
and 6.1 to 6.1.3, as well as any systems built from a netbsd-6* branch
before 8 April 2014.
These files contain libcrypto.8.2 and libssl.10.3 for
NetBSD 6.X systems, which should patch the "heartbleed"
OpenSSL vulnerability. SHA512 and MD5 checksums are included - please
verify them before installing.
PLEASE make sure to grab the right one for your architecture, which
in most cases is indicated by the output of "uname -m".
To apply, untar as root as follows:
# cd /
# tar xpzf /path/to/file.tgz
...and then verify that "openssl version" shows the new libs in
use:
# openssl version
WARNING: can't open config file: /etc/openssl/openssl.cnf
OpenSSL 1.0.1c 10 May 2012 (Library: OpenSSL 1.0.1g 7 Apr 2014)
#
You will then need to restart any webservers or anything else using
OpenSSL.
NOTE: it is recommended to upgrade to NetBSD 6.0.5, or 6.1.4, or 6.2,
when they become available.